Fig 3 - uploaded by Alaa Khalil Jumaa
Content may be subject to copyright.
Source publication
— SQL injection (SQLI) is a major type of attack that threatens the integrity, confidentiality and authenticity or functionality of any database driven web application. It allows the attacker to gain unauthorized access to the back-end database by exploiting the vulnerabilities within the system in order to commit an attack and access resources. Da...
Similar publications
Technology is growing rapidly and data is being stored on online servers. As technology is evolving, on the other side it is opening doors for cyber crimes. Attackers are continually developing new methods, tools and techniques to deface online systems. A website with compromised security and Vulnerabilities can give opportunities to hackers to get...
Citations
... These weaknesses shall be manipulated by unauthorized users to gain unrestricted access to stored data [10]. Therefore, a proper mechanism is needed to prevent the attack, such as validate the user input both at the client and server side [13] [14]. Since lack of proper mechanism in preventing the attack at the application and database level exists in the literature, therefore it has become the motivation of this study. ...
... 3) inappropriate error handling message [10] [14]. ...
... However, the default error messages reveal sensitive information and weaknesses of the database. The intruder of the system will learn from these errors, and this will give an opportunity for them to breach the system [14]. ...
Structured Query Language (SQL) injection is one of the critical threats to database security. The effects of SQL injection attacks cause the data contained in the database to be at risk of being exploited by irresponsible parties, compromising data integrity, disrupting server operations and in return affecting the organization’s image. Although SQL injection is an attack performed at the application level, SQL injection prevention requires security controls at all levels, namely application level, database level and network level. The absence of SQL injection prevention measures at the application level makes the database vulnerable to attack. Reviews indicate that the current approaches still not sufficient in addressing these three issues, which are i) improper use of dynamic SQL, ii) lack of input validation process and iii) inconsistent error handling. Currently, program and database code security is based solely on basic security measures that are focused at the network level such as network firewalls, database access control and web server request filtering. Unfortunately, these measures are still inadequate and not sufficient to safe guard the program code and databases from the attack. To overcome this shortcoming as addressed by these three issues, a new comprehensive method is proposed using an improved parameterized stored procedure to enhance database security. Experimental results prove that the proposed method is able to prevent SQL injection from occurring and able to shorten the processing time when compared with existing methods, hence able to improve database security.
